the fact that its possible to calculate that far into an onion's address should make you cautious of the technology. While its unlikely that an ameture is going to crack a tor address/key, it now seems very likely that someone with enough rackspace, and the ability to make custom ASICs for the proccess could do so.(if cryptocurrencies can make asics, why can't people wanting to smash crypto do the same. similar tech, and especially if your a large company/government, buying them in bulk shouldn't be a problem)

its also know that facebook buys custom chips from intel who makes them with extra database specific functions built in, and intel now sells the service to any high volume buyer willing to pay extra.

Its not unreasonable to say tor is broken until they move to 4096 bit keypairs.

It's an SHA-1 hash, but in square root of the time. Facebook wanted to work out facebook*.onion, so they only had to sha-1 'facebook' and then store that state. After that, feed 40 sha-1 bits to the sha-1 function to generate a bunch of different hashes, keeping the ones that match.

This works all the time, as long as there are collisions in that space that match your hash.

Facebook wanted to work out facebook*.onion, so they only had to sha-1 'facebook' and then store that state. After that, feed 40 sha-1 bits to the sha-1 function to generate a bunch of different hashes, keeping the ones that match.

That doesn't make any sense at all, if they can choose "facebook" I can choose "facebookcorewwwi" and feed it 0 bits to get my hash. It is the other way around, you must generate a public key and SHA-1 hash that, cut to 80 bits and convert to base32 and that'll be your service descriptor. Since each letter = 5 bits they basically brute force created 2^40 = public keys to find one that hashed to facebook*. There are tools for this, the estimate for a single 1.5 GHz processor choosing 8 letters is about ~25 d [stackexchange.com]

they can choose "facebook" I can choose "facebookcorewwwi" and feed it 0 bits to get my hash.

I was assuming they had HASH(seed) = 0xDEADBEEF and they were trying to HASH("FACEBOOK" + whatever) and get 0xDEADBEEF. To do this, you would feed your hash function--which iteratively generates a hash based on a stream--"FACEBOOK", and then start appending 40-bit strings.

There was some assertion that the full length of the identifier is 80 bits, and that Facebook only brute forced 40 bits. This is how you find a hash collision with a known prefix: you hash the prefix, then continue computing the next

the fact that its possible to calculate that far into an onion's address should make you cautious of the technology. While its unlikely that an ameture is going to crack a tor address/key, it now seems very likely that someone with enough rackspace, and the ability to make custom ASICs for the proccess could do so.(if cryptocurrencies can make asics, why can't people wanting to smash crypto do the same. similar tech, and especially if your a large company/government, buying them in bulk shouldn't be a problem)

its also know that facebook buys custom chips from intel who makes them with extra database specific functions built in, and intel now sells the service to any high volume buyer willing to pay extra.

Its not unreasonable to say tor is broken until they move to 4096 bit keypairs.

De-anonymizing attacks have almost certainly already taken place (see the 2014 "Cicada 3301" contest for one example) so this shouldn't be the tipoff that if you are relying on a Tor hidden service for long term anonymity you are probably not going to find it. Tor can be used anonymously by clients who change their actual whereabouts often enough to avoid a pattern, but hidden services are ripe for exploit and always will be, the process is just too complex to avoid all possible weak links.

Couldn't you also set up a sock puppet account to use to keep your anonymous fan page updated? You don't have to friend people or put any actual info in your account, just use it to update your hacking/revolution/secret society/terrorisim network/whistleblower/whatever page.

Couldn't you also set up a sock puppet account to use to keep your anonymous fan page updated? You don't have to friend people or put any actual info in your account, just use it to update your hacking/revolution/secret society/terrorisim network/whistleblower/whatever page.

You forgot trolling/catfishing/generally shitting in the pool. I can see this having one rampant use: creation and manipulation of throwaway/hacked accounts. They better have one amazing captcha on the Tor-facing login page or Facebook is about to get a whole lot filthier.

So you go through Tor to access Facebook, where you immediately have to log in, and...

You really don't know anybody who uses Facebook pseudononymously? If you make an account called 'Hootie McBoob' you might get dinged, but there are thousands of 'Bill Riker's (have some fun with it).

If you're coming in from your home IP or a Verizon or AT&T mobile, you're gonna be decloaked in a hurry, even by a passive listener. So, if you want to participate in a community that's on Facebook but not be known to the outsiders, Tor makes sense. Right now you can exit Tor on one of the spooks' exit nodes, but then you're just enabling the traffic analysis. By offering Tor directly, you avoid the risk of using an additional hostile exit node.

This looks to be Facebook engineers doing the best they can given the cards they're holding. It's obviously more secure to not use any social networking systems at all, but if you rank security/privacy below functionality for some uses, this move makes sense to improve the situation.

I know there are some people who use Facebook pseudononymously but honestly I never saw the use case. The whole point of Facebook is to connect with friends and family to share things. If you are anonymous, you can't do that, so why are you on Facebook?

Anonymous Twitter accounts make a lot more sense than anonymous facebook accounts.

I know there are some people who use Facebook pseudononymously but honestly I never saw the use case. The whole point of Facebook is to connect with friends and family to share things. If you are anonymous, you can't do that, so why are you on Facebook?

Because having an account usually allows you to access more profiles than not being logged in at all; some profiles are so restricted that you need to be a friend on their friends list to view, but that's another matter entirely.

I suspect the point is part publicity stunt, and partly an effort to guard against any countries that may take measures to block access to facebook. The use of SSL alone can force those countries to go to an 'all or nothing' approach to censorship, but TOR accessibility means that even if they block the site by DNS and IP users can still get through with a little more effort. This is important not only from a free speech point of view*, but commercially to ensure those countries remain full of potential use

So you go through Tor to access Facebook, where you immediately have to log in, and...

What's the point again?

Well, presumably, you're not logging in with your real name. Using a standard connection, even with a fake name, you're still giving away a lot of information by being tied to your IP address. By using the Tor Browser, you are disassociated from your home IP address, and the Tor Browser makes it a bit easier to dump cookies once your session ends. Make no mistake though, you're probably only protecting yourself from FB itself, and advertisers and other commercial data collectors. Whatever dossier they build

So you go through Tor to access Facebook, where you immediately have to log in, and... What's the point again?

Its mainly for the muppets who see Tor all over the news and just want a new fad to follow.They assume that because the media is shoving Tor down their throats, they have to use it because its "popular" and "cool". Rather than understanding what its designed for.

Gotta love the sheep flocking crowd.

Facebook's just in it for the news coverage, with a chance of bringing in some of those sheep who will log in, simple as.

I have no idea why I have to say it out loud. Hypocrites don't believe they're hypocrites. Frankly, they don't believe in hypocrisy. What they want, they deserve. What anyone else wants, is either irrelevant (if it doesn't interfere with what they want) or evil (if it does interfere with what they want).

Say what you will about unvarnished greed. At least it's internally consistent.

So you're going to go to all of this trouble to use a completely secure connection which conceals your identity and information about your browsing. Then you're going to go to a website where the first thing you do identify yourself to that website then the second thing you do is give yourself a cookie that identifies you to any website anywhere on the internet that has a facebook like button?

If you browse it with TBB (Tor browser bundle), you still have that "identify yourself" part, but the cookie gets deleted the moment you close tor browser. Browsing tor with your normal browser is something very stupid, not just because of cookies, but also because of fingerprinting. Tor browser for example deactivates canvas tracking, or webrtc, and spoofs the useragent. Try this site [eff.org] with your favourite browser and with tor browser, and compare the results.

It makes some sense. If you use a "real name like" pseudonym they don't know unless you get reported. Turn off ability of people to tag you in photos. Use a selfie that is recongnizable to friends, but useless for facial recognition algorithms. Never access outside TOR, blackhole DNS facebook.com and all known ad networks assuming that wouldn't break it within TOR. Register with a matching pseudonym email. Give a fake location and date of birth. Run AD-Blocker Plus, Ghostery, NoScript, etc.. Preferably dual boot, Live-CD or at least use different user login on the OS level when toggling between TOR and public use. For a normal person who wants to see what your friends are doing, but doesn't want to gave Facebook everything it could work good enough. As others mentioned, the ability to use in a country where it is banned is pretty worth while. If you are in that situation then maybe use a real photo at first if your friends need to recognize you to "add you", but change it later to a picture that isn't recognizable as you. It certainly matters for those in repressed countries to be able to communicate to the outside world. Tip: If you give a fake date of birth remember what you gave! I got locked out of mine because they used that as my only option for security question to access a stale account.

This is really a "news for nerds" sort of deal here. The general public, and even most power users aren't going to be all that interested in it due to the niche. As to why Facebook has elected to pursue an onion site, who knows. I doubt it's because they see a big future in Tor, or maybe they do. Given that Tor has a bit of a burden of knowledge to actually understand what it offers, most users won't know or care.

A lot of people here are really completely missing the point of this. It isn't for privacy conscious US or EU users, it is for users in countries where Facebook is completely banned/blocked. China, Iran, Syria, etc.

And it is a great thing to happen. It would be wonderful if Twitter did the same.

It is, but Facebook having their own TOR address is much more reliable (and likely faster) than having to use one of a limited number of exit nodes. Every person using the internal address will also reduce the burden on the exit nodes and give higher speeds so this is a win for everyone.

Yes, but it means going via an exit node. Exit notes can't sniff or meddle in your traffic if you use SSL, but they are under high contention. Few people are willing to take the legal risk of running one, as it carries a possibility of being falsely accused of a serious crime.

tor has been blocked in China for years, it's actually easier to block tor than facebook since with tor all you have to block is the protocol while if you want to block facebook (or any other TLS-encrypted site) you have to individually block each of the hundreds of constantly changing public IP-addresses

I guess they could block based on TLS certificate but for some reason this isn't done, that's why you can get around some blocks with hosts files etc

The magic rule of anonymity on Tor is don't go to websites that will actively attempt to use code to find out who you are....oh and don't log in as your actual first and last name on the worst website for privacy on the entire internet. That's probably a rule too.